AWS Certified Advanced Networking Specialty
275 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
The AWS Certified Advanced Networking Specialty (ANS-C01) is the deepest networking credential AWS offers and is widely considered one of the more challenging certifications across any cloud provider. It validates the ability to design, implement, and operate complex AWS network architectures β including hybrid connectivity, multi-region transit, advanced DNS, edge services, and security at the network layer. The exam targets senior network engineers, cloud network architects, and infrastructure engineers with multi-year AWS and traditional networking experience. Expect long, scenario-heavy questions that combine VPC, Transit Gateway, Direct Connect, Route 53, CloudFront, Global Accelerator, and Network Firewall in ways that often have one objectively correct answer. ANS-C01 launched in July 2022, replacing ANS-C00, and is conceptual (no hands-on labs).
The largest domain at 30%. VPC topology choices, hub-and-spoke with Transit Gateway, multi-region patterns, hybrid connectivity selection (Direct Connect vs. Site-to-Site VPN vs. Cloud WAN), and DNS architecture with Route 53 Resolver. Tests architectural judgment more than service knowledge.
BGP configuration on Direct Connect and Site-to-Site VPN, transit gateway route tables and propagation, VPC peering and PrivateLink, and IPv6 deployment. Common stumbling block: nuanced BGP path selection and AS-PATH prepending.
VPC Flow Logs, Reachability Analyzer, Network Access Analyzer, Transit Gateway Network Manager, and CloudWatch metrics for networking. Tests practical operational fluency.
AWS Network Firewall, security groups vs. NACLs, WAF, Shield, Resolver DNS Firewall, and centralized inspection patterns with Gateway Load Balancer. Often missed: the precise traffic-flow sequence through GWLB-based inspection VPCs.
Services you'll encounter on the exam and why each one matters.
Logically isolated virtual network with subnets, route tables, NACLs, security groups, Internet Gateway, NAT Gateway, and VPC peering as the building blocks.
Why it's on the exam: Every ANS-C01 Network Design and Network Implementation scenario starts with VPC topology β CIDR sizing, multi-AZ subnets, and route-table targeting are the question fundamentals.
Regional network transit hub interconnecting thousands of VPCs and on-prem networks via attachments and transit-gateway route tables, with inter-region peering.
Why it's on the exam: Network Design questions on hub-and-spoke, segmentation, and replacing full-mesh VPC peering at scale name Transit Gateway as the canonical answer.
Dedicated 1/10/100 Gbps private circuits to AWS with private, public, and transit virtual interfaces, BGP peering, jumbo frames, and Direct Connect Gateway for multi-region reach.
Why it's on the exam: Network Implementation tests hybrid connectivity tradeoffs β Direct Connect vs VPN, LAG bundling, MACsec, and BGP path manipulation are exam staples.
IPsec tunnels (static or BGP) terminating on a Virtual Private Gateway or Transit Gateway for site-to-site; OpenVPN-based managed endpoint with mTLS or SAML auth for Client VPN.
Why it's on the exam: Hybrid-connectivity questions weigh VPN backup-to-Direct-Connect, ECMP-bundled tunnels, and accelerated-VPN choices β all tested under Network Implementation.
Managed global WAN that unifies VPC, Direct Connect, VPN, and SD-WAN attachments under a single core network with policy-driven segmentation and routing.
Why it's on the exam: Network Design scenarios for multi-region global topologies increasingly cite Cloud WAN as the modern alternative to stitched-together Transit Gateways with TGW peering.
Authoritative DNS with weighted/latency/geolocation/failover routing plus the Resolver service that runs inbound and outbound endpoints for hybrid DNS between VPCs and on-prem.
Why it's on the exam: Hybrid-DNS resolution (forwarding rules, conditional forwarders, private hosted zones) is a recurring Network Design and Implementation pattern on ANS-C01.
Private connectivity between VPCs, AWS services, and on-prem via interface VPC endpoints (ENIs) and Gateway Load Balancer endpoints β keeps traffic on the AWS backbone.
Why it's on the exam: Design questions about exposing services across accounts or removing public internet paths to AWS APIs answer to PrivateLink + VPC endpoints, with Gateway vs Interface endpoint distinctions.
Global CDN with 600+ edge locations, origin failover, custom origins (S3, ALB, MediaPackage), CloudFront Functions / Lambda@Edge for request/response manipulation, and field-level encryption.
Why it's on the exam: Edge-delivery scenarios under Network Design β origin shielding, signed URLs, CloudFront-to-private-origin via OAC, and POP selection β are tested heavily.
Three L4/L7 load-balancer types: ALB for HTTP(S) routing and WAF integration, NLB for ultra-low-latency L4 and static IPs, GWLB for inserting transparent appliance fleets via GENEVE.
Why it's on the exam: Picking ALB vs NLB for protocol/scale, and GWLB for inline-firewall insertion, is one of the most common Network Implementation distractor patterns on the exam.
Anycast IP entry points that ride the AWS global backbone to the nearest healthy regional endpoint (ALB, NLB, EC2, or Elastic IP), with sub-minute failover and traffic-dial controls.
Why it's on the exam: Network Design questions distinguishing Global Accelerator (TCP/UDP at L4, static anycast IPs) from CloudFront (HTTP caching at L7) are an exam staple.
Managed stateful firewall with Suricata-compatible rule groups, deep-packet inspection, TLS inspection, and centralized deployment via Firewall Manager.
Why it's on the exam: East-west and egress inspection patterns under Network Security cite Network Firewall as the managed alternative to self-hosted appliances behind GWLB.
L7 web-application firewall attaching to CloudFront, ALB, API Gateway, AppSync, or App Runner β managed rule groups, rate limiting, bot control, and CAPTCHA.
Why it's on the exam: Network Security questions on OWASP Top-10 mitigation, application-layer rate limiting, and bot management at the edge name WAF as the answer.
Subscription-tier DDoS protection with the Shield Response Team (SRT), L3/L4/L7 mitigations, cost-protection refunds for scaling under attack, and global-threat dashboards.
Why it's on the exam: Domain 4 (Network Security, Compliance, and Governance) tests Shield Advanced for sustained DDoS resilience on internet-facing CloudFront, Route 53, Global Accelerator, and ELB.
REST / HTTP / WebSocket APIs with the private-endpoint variant exposed only via interface VPC endpoints, plus resource policies to lock down callers by VPC, account, or source IP.
Why it's on the exam: Exposing internal APIs to other accounts or on-prem without internet egress is a Network Design scenario that hinges on private API Gateway + PrivateLink wiring.
Flow Logs capture 5-tuple metadata for accepted/rejected traffic to CloudWatch Logs, S3, or Kinesis Data Firehose; Traffic Mirroring copies full L2 packet streams from ENIs to a target NLB or ENI for IDS / forensics.
Why it's on the exam: Network Management and Operations questions on troubleshooting reachability and on packet-level forensics distinguish Flow Logs (metadata) from Traffic Mirroring (full payload).
Envoy-based service-mesh control plane with east-west traffic policies, retries, and observability; Cloud Map provides the underlying service-discovery registry (DNS or API).
Why it's on the exam: Microservice-networking design questions on traffic shaping, canary releases, and service discovery across ECS/EKS/EC2 fleets cite App Mesh + Cloud Map as the AWS-native answer.
IAM users/roles/policies plus resource-based policies on VPC endpoints, Transit Gateway, and Route 53 Resolver rules; AWS Resource Access Manager (RAM) shares subnets, TGWs, and resolver rules across accounts.
Why it's on the exam: Domain 4 governance questions on cross-account VPC sharing, endpoint service principals, and least-privilege for network admins anchor to IAM + RAM.
Managed cryptographic keys used to encrypt Flow Logs delivered to S3, secrets backing Site-to-Site VPN pre-shared keys, MACsec keys for Direct Connect, and CloudFront field-level encryption keys.
Why it's on the exam: Compliance scenarios in Domain 4 cite KMS as the answer for encrypting captured network telemetry at rest and rotating PSKs / MACsec CKNs without service disruption.
Single-pane-of-glass console and APIs for Transit Gateway, Cloud WAN, Direct Connect, and SD-WAN partners β events, route analysis, Network Access Analyzer integration, and topology visualization.
Why it's on the exam: Network Management and Operations questions on global topology visualization, route analyzer, and proactive event detection name Network Manager as the operations surface.
Account-wide audit log of every network-control-plane API call β who attached a TGW, who modified a route table, who created a peering connection.
Why it's on the exam: Domain 4 compliance questions cite CloudTrail as the immutable record needed for change attribution on VPCs, TGWs, security groups, and Resolver rules.
$135kβ$190kβ$280k USD annual
Range covers US-based mid-to-senior cloud networking roles where AWS proficiency is required. Top-tier financial services, FAANG, and large enterprise hub teams frequently exceed $330k TC. Entry "network engineer" titles in non-coastal markets fall below the low end. The advanced networking specialty reliably commands a premium because the candidate pool is small.
Source: levels.fyi 2025β2026 cloud network engineer roles, U.S. BLS OEWS May 2024 (15-1241 computer network architects, 15-1244 network and computer systems architects). Figures are approximate; actual compensation depends on role, region, and experience.
Cloud networking is one of the smaller but most premium specialty fields in AWS hiring. Demand is concentrated at large enterprises, financial services, regulated industries, and cloud-native SaaS companies with complex multi-region or hybrid architectures. Recruiters use ANS-C01 as a credible signal that a candidate can design and operate non-trivial AWS networks β the candidate pool with both AWS depth and BGP/DNS fluency is genuinely small. It pairs naturally with SAA-C03 or SAP-C02 and with the Security Specialty (SCS-C03) for senior infrastructure roles. The cert does NOT by itself qualify candidates for chief-architect-level positions; those expect broader system-design and leadership experience.
There are no formal prerequisites. AWS recommends at least 5 years of networking experience (including hands-on production networking with both routing and switching), and at least 2 years of hands-on AWS experience.
Most candidates approach ANS-C01 after SAA-C03 or SAP-C02 for the AWS architectural foundation. The harder gap to close is traditional networking depth: candidates without strong BGP, OSPF, IPSec, and DNS backgrounds should expect substantial extra study because the exam assumes baseline networking fluency well beyond what the associate exams test. A working personal Direct Connect simulation (using Site-to-Site VPN with BGP), a multi-region Transit Gateway lab, and a Gateway Load Balancer inspection-VPC build are the highest-ROI preparation artifacts.
ANS-C01 is rated Specialty and is widely considered one of the hardest AWS exams. Plan 100β160 hours over 12β16 weeks for candidates with strong traditional networking backgrounds and AWS experience; 200β280+ hours for candidates missing one of those foundations. The exam is 65 scored questions in 170 minutes β multiple-choice and multiple-response, no labs. Time pressure is real because reading and tracing network diagrams in scenario questions is slow.
Common stumbling blocks include nuanced BGP behavior over Direct Connect (LOCAL_PREF, AS_PATH, MED, communities), Transit Gateway route-table propagation vs. association, hybrid DNS resolution edge cases involving Route 53 Resolver inbound and outbound endpoints, and centralized inspection traffic flows with Gateway Load Balancer. Subtle PrivateLink and VPC endpoint policy interactions also recur.
Current version. Modernized coverage of Transit Gateway, Cloud WAN, Network Firewall, Gateway Load Balancer, and modern hybrid-DNS patterns. Replaced ANS-C00.
Original Advanced Networking Specialty. Retired in 2022; pre-Transit-Gateway-mature era.
ANS-C01 (AWS Certified Advanced Networking Specialty) is a a deeply specialized exam covering advanced topics in a narrow domain β expect hands-on experience to be a prerequisite Specialty-level exam. Most candidates need 100β200 hours of study spread over 2β4 months for specialty exams. These assume hands-on experience in the specialty domain. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 100β200 hours of study spread over 2β4 months for specialty exams. These assume hands-on experience in the specialty domain. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
ANS-C01 is a recognized credential in the AWS ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with AWS day-to-day or want to move into roles that do.
The passing score for ANS-C01 is 750 / 1000. The exam contains 65 questions and lasts 2 hr 50 min.
The ANS-C01 exam fee is $300 USD. Fees are set by AWS and may vary by region; always confirm the current price on the official AWS certification page before booking.
AWS certifications are valid for 3 years. Recertify by passing the current version of the same exam, or by passing a higher-level exam in the same path before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for ANS-C01. The exam-simulation mode mirrors the real exam: 65 questions in 2 hr 50 min, with the same passing threshold of 750 / 1000. Browse mode lets you read every Q&A statically.